top of page
Search

Let’s Talk About Detection Rules in Sublime Security (EDR for Email!)

  • Aug 12
  • 6 min read

Updated: Aug 13

ree

Okay, so in this tab, we’re going to explore one of my favorite features of Sublime Security — Detection Rules, also known as your email detection posture. This is where things get really cool, especially if you love having visibility AND control over what happens in your email ecosystem.


So, here's the deal — Sublime Security puts everything online on GitHub.


Yep, it’s all open-source. You can:

  • Write your own rules,

  • Use existing community rules,

  • Customize anything you like.

No walled gardens, no black boxes. Just raw detection power at your fingertips.


ree

🧠 How the Rules Are Organized

The Detection Rules tab is the place where all the action starts. And trust me — they’ve done a neat job organizing everything.


The rules are split into two main categories:

ree

1. Attack Types

Think of these like the “what is the attacker trying to do?” side of things. Each type reflects the attacker’s primary goal — whether it's phishing for creds, spreading malware, or just trying to socially engineer someone into transferring funds.


Here are some examples:

  • BEC/Fraud – Business Email Compromise. These are those sneaky emails where someone pretends to be your CEO, a vendor, or someone else important, trying to get you to send money or share sensitive info. No malware, no malicious links — just pure social engineering.

  • Callback Phishing – This one’s clever. The attacker tricks you into calling a phone number. From there, it’s game over. They might lead you to malware, steal data, or worse.

  • Credential Phishing – This one’s classic. Think fake Microsoft login pages, Google Docs prompts, etc. — all designed to steal your usernames and passwords.

  • Extortion – Like the old "we’ve got your data, now pay us" scenario.

  • Malware/Ransomware – Where attachments or links lead to malware payloads.

  • Reconnaissance – This is like the attacker dipping their toe in to see if your email system bites back. They’re testing spam filters, checking which emails land in inboxes, and mapping targets before launching the real deal.

  • Spam – Not all spam is evil, but it’s annoying and sometimes a smokescreen for worse things.



2. Tactics and Techniques

This section dives into how the attackers are doing what they’re doing. You get insight into the tools and tricks used to evade detection.

ree

Some cool examples:

  • Encryption – Emails that are encrypted just enough to sneak past scanners.

  • Evasion – Tactics like obfuscation, spoofing headers, hiding links in weird places.

  • Free Email Providers – Attackers love using Gmail and Outlook to look “normal.”

  • Free File Hosts – Dropbox and Google Drive links aren’t always innocent.

  • HTML Smuggling – A technique where malware is hidden inside HTML files.

... and the list goes on.



🛠 Why I Absolutely LOVE This

Now, you might ask — “Dean, why are you geeking out over this?”

Let me tell you why: Sublime lets you apply actions per category or even per rule. That’s right. You’re not locked into a single response for every kind of threat.


(There is better method as well, we will discuss in next article :- automation, but yeah this ability also given by sublime, you have to make choice what you are going to choose)

For example:

  • You’ve got 74 BEC/Fraud rules. (Kept increasing or you can add your as well)

    ree

  • And 35 Spam rules.

    ree

Let’s say:

  • For all BEC/Fraud emails → you want them to be auto-quarantined or Auto-review (malicious.)

    Before Applying any action:

    ree

    Let apply action:

    ree

    After Applying action:

    ree

  • But for Spam → maybe you just want to move it to the spam folder and add a warning banner.

---------------------------------------------------------------------------------------------------------

One thing keep in mind which is Lets suppose the one rule which was under BEC fraud might come under SPAM as well, So don't get confused or worried:

Now you will ask question Dean, than how the action will work remember the Hierarchy i told you!


If multiple rules try to classify the same message, the platform uses this order of priority:

Simulation > Benign > Malicious > Spam > Graymail

if one rule tags it as Simulation and another as Malicious, Simulation wins.

-------------------------------------------------------------------------------------------------------


You can set different actions per type. That flexibility? HUGE.
And yes — you can mix and match:

  • Set a warning banner plus move to spam.

  • Or trigger user reporting.

  • Or simply alert only, if you want to monitor before acting.


This level of control is something most EDRs or email gateways charge a premium for — Sublime gives it right out of the box.



📈 What’s Rule Effectiveness?

So there's this nifty section called Rule Effectiveness. Basically, it gives you insight into how well your detection rules are working.

ree
ree

Key points:

  • It only shows data from live-processed emails. So your test emails or old logs won’t count.

  • You can see:

    • Who created or last updated the rule,

    • How many emails were flagged,

    • What actions assigned to rule,

    • How many reviewed.


It’s perfect for fine-tuning your rules, especially if you want to weed out false positives or catch things your current posture misses.


⚠️ One Thing to Remember

By default, all rules are alert-only when you enable them . So no actions will be taken until you define them. That’s kind of a good thing because it gives you time to understand how your rules behave.


you can assign actions. :

  • Quarantine,

  • Add warning banners,

  • Enable user reports,

  • Auto-delete (if you dare),

  • Or just monitor.

Totally your call.



🧪 What About ASR Rules?

We’ve talked about ASR (Advanced Security Rules) in a previous article, but I might just copy-paste that again or share a link, Lol😄. Basically it also contain rules


Attack Surface Reduction in Sublime Security is a specialized category of MQL Detection Rules that target abnormal or risky patterns in emails. Think of it as your "proactive threat filter" for Microsoft 365 and Google Workspace environments.

ree

---------------------------------------------------------------------------------------------------------

Detection Methods Rules

Before we wrap up, let’s touch on the Detection section of the analysis view, specifically the Detection Methods Rules.

ree

This section highlights the technical methods and Sublime’s custom rule-based techniques that identified and flagged the threat. These rules often represent the logic or patterns the system detected in an email—such as suspicious sender behavior, impersonation attempts, or malicious links.

💡 Tip: These are editable rules—if you see something that needs adjusting or tuning to better fit your environment, you can modify them. It’s an excellent way to fine-tune detection for your organization.

Historical Ingestion

Another important capability of Sublime Security is Historical Ingestion.

ree

What is Historical Ingestion?

Historical Ingestion is a powerful feature that allows you to ingest and analyze past email messages to build contextual baselines for better real-time detection and tuning. When you first deploy Sublime or activate new mailboxes, it prompts you to run historical ingestion so that it can learn from your environment.


Why it matters:

  • Establishes behavioral baselines for what’s normal across your org.

  • Helps reduce false positives by learning from how you label previous threats.

  • Gives you insight into how Sublime would have flagged past messages, so you can tune and adjust before going live.


Key Steps:

  • Review and label results from historical analysis. Labeling helps train Sublime’s models and improve future detections.

  • You can also exclude safe messages during this review to fine-tune detection and prevent noisy alerts.

  • Once you complete labeling, activate your rules for real-time detection.

  • Running historical ingestion doesn’t impact mail flow—it’s a passive process designed to improve accuracy.

ree
🔧 For best results, make sure all mailboxes are activated and configure message retention to allow analysis as far back as you’re comfortable.

---------------------------------------------------------------------------------------------------------


I will suggest, wait for my next article before enabling Action on Detection Rules you might find that way better right!!!!!!

-------------------------------------------------------------------------------------------------------------

🎯 Final Thoughts

Sublime Security is truly building something special — like an EDR, but for your email. The detection rules tab is where it all comes together: visibility, customization, and control — all in one dashboard.


Try it out — play with the rules. Trust me, you’ll enjoy the control it gives you over your email security like never before.

--------------------------------------------Dean----------------------------------------------------

Upcoming Article: Automations in Sublime Security: A Smarter Way to Respond to Email Threats

---------------------------------------------------------------------------------------------------


 
 
 

Comments

bottom of page